Orangeworm hacker group attacks health-care sector

A recent report from Symantec’s Security Response Attack Investigation Team has zeroed-in on a hacking collective that is harassing the health-care industry. The group’s name has been found to be Orangeworm and they have been responsible for hacking various health-care-related targets in the United States, Europe, and Asia. The group was previously unidentified when they first popped-up on researchers’ radars in 2015, but now their methodology and identity is well-documented.

Symantec noted the following about Orangeworm’s targets:

Based on the list of known victims, Orangeworm does not select its targets randomly or conduct opportunistic hacking. Rather, the group appears to choose its targets carefully and deliberately, conducting a good amount of planning before launching an attack.

The main attack method for Orangeworm is installing a backdoor via the Trojan.Kwampirs. Kwampirs has been discovered on the software for X-Ray and MRI machines, on systems connected to networks with highly sensitive data, and anything else remotely related to powerful healthcare corporations.

Once the backdoor has been installed, and the target has been confirmed to be of interest, the first thing Kwampirs does (after decrypting and extracting the DLL payload) is “aggressively copy the backdoor across open network shares to infect other computers.”

Symantec notes the following hidden file shares as common places for the backdoor to dig into the network:

  • ADMIN$

The main purpose of all of this is an aggressive form of reconnaissance, which is thought to possibly be linked to corporate espionage. The amount of internal data recovered from these attacks can prove very useful as they encompass not only data from the company but also any business partner the company may deal with.

Symantec notes that the Orangeworm hackers aren’t particularly concerned with stealth. The attacks they carry out are what we in the security field call “loud” and are prone to set off any alert mode that IT departments respond to (for example, their IDS or IPS). A big reason why such a reckless approach works is that many health-care industry leaders still run Windows XP, which is much easier to penetrate and stay on due to primitive security protections.

This last point is so crucial as cybersecurity professionals have warned against the dangers of running obsolete OS variants like XP for years. I have been one of those people, and I constantly warned that the issues would reach critical mass, and once they did with WannaCry, I thought there might be a change. Obviously, the change wasn’t enough as Orangeworm is proving that XP is still widely in use in such a sensitive industry.

Health-care executives: Update your OS or continue to suffer the consequences of your inaction.

Photo credit: Wikimedia

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter
Tags healthcare

Recent Posts

Mozi botnet behind massive spike in IoT device attacks

The Mozi botnet appears to be another unintended consequence of people spending more time at…

10 hours ago

4 startups with innovative solutions to enhance customer experience

These three startups are enhancing the customer experience by solving an array of challenges across…

15 hours ago

See the light: How to avoid webcam hacking

With so many employees video conferencing from home, the webcam may be a portal to…

3 days ago

Using Intel VTune Profiler performance analyzer on Hyper-V VMs

The Intel VTune Profiler performance analyzer can do more than monitor a system’s CPU utilization.…

4 days ago

The evolution of backup: Interview with Altaro’s Simon Attard

Backup is not the glitziest part of an IT pro’s job, but it may be…

4 days ago

U.S. Department of Veterans Affairs experiences data breach

A successful cyberattack initiated by a social engineering campaign has caused a data breach at…

4 days ago